Intrusion Detection Resources

Amidst all of the daily grind of maintaining and upgrading your network, who has time to perform routine security audits, and scour Event Logs? Almost nobody. But installing an intrusion detection system can pay for
itself in a very short period of time. This technology is relatively new and is still maturing, so research your solutions careful, and have a plan on how to isolate and track an intruder once you locate one.
If you've discovered an intrusion into your network, be sure to
check our Incident Response and
Computer Forensic Resource Centers for
more information.

Recommended Books

Intrusion Detection: Network Security Beyond the FirewallBy Terry Escamilla. Published by John Wiley, Oct 1998. Paperback. ISBN 0471290009. We actually couldn't put this book down, which is rare for a technical book (even for us). A great primer for those new to IT
Security, it covers the basics of Computer Security first, introduces common hacker techniques and tools for both UNIX and NT, reviews intrusion detection software and vulnerability scanners, and what to do if you find that you are being hacked. This an excellent book that
quickly made it to our favorites list. There is a companion website for the book at http://www.wiley.com/compbooks/escamilla/

Network
Intrusion Detection : An Analyst's Handbook, 2nd EditionPublished by New Riders, Sept 2000. Paperback 430
pages. ISBN 0735710082 Although not written
specifically for Windows 2000, this is an excellent and
practical technical reference by the developer of the
Shadow intrusion detection system. However, it should
not be considered to be a primer for the uninitiated,
and strong TCP/IP skills are a must if you want to get
the most out of this book. Coverage of common attacks,
architectural issues, detection of exploits,
intelligence gathering, risk management, and tools are
excellent. The author also provides plenty of personal
anecdotes and samples of real log files throughout the
book, making this a valuable resource for Admins who
want a real world perspective of intrusion detection.

Implementing
an Intrusion Detection System
Intrusion detection systems provide security administrators
with tools to monitor, detect and respond to security
incidents on the network. An IDS is the compilation of
technologies and people that work together to provide the
ability to identify and respond to malicious activities aimed
at networked systems. A high-quality execution methodology
will ensure that an IDS solution is implemented appropriately.
Source: 8wire.com

Intrusion Detection Software
Learn more about the two most basic types of Intrusion
Detection Systems (IDSs), and how you can protect your network
from intruders. Source: Windows & .NET Magazine (Dec
2002)

Intrusion Detection Terminology (Part One)
This is the first of a two-part series that
discusses IDS terminology, including terms where there may be
disagreement from within the security community. Source:
SecurityFocus.com

Intrusion Detection Terminology (Part Two)This is the second and
final part of the series that discusses IDS
terminology, including terms where there may be
disagreement from within the security community.
Source: SecurityFocus.com

Monitoring and Auditing for End Systems
This document covers policy, goals, and monitoring architecture, with information about event, object, and performance
monitoring, references and utilities. Source: Microsoft TechNet CD Online

NSA
Glossary of Terms used in Security and Incident Handling
In April of 1998, the NSA completed a glossary of terms used in
computer security and intrusion detection. The work, done
primarily by Greg Stocksdale of the NSA Information Systems
Security Organization, was comprehensive, accurate and useful.
Because of the value of a comprehensive glossary, the SANS
Institute is making it available for you right here.

Intrusion Detection Web Sites

CSI Intrusion Detection System Resource
The Computer Security Institute is a membership organization that serves and trains IS professionals on how to protect their networks. Although most of their site content is available to members only, some excellent material is
available. Check out the CSI Roundtable discussion on present and future intrusion detection systems.

Intrusion Detection Consortium
The Intrusion Detection Systems Consortium (IDSC) was established in 1998 to provide an open forum in which developers could work toward common goals such as educating end users, creating industry standards, product interoperability, and maintaining product integrity.

SRI/CSL's Intrusion Detection Page
Home of the SRI International Computer Science Laboratory. Lots of whitepapers and other resources, but hasn't been updated since 1997.

Advanced
Perimeter Detection and Defense
How can you tell whether your system has been compromised, and
what do you do if it has? If you are running a Windows NT or
2000 Web server with Microsoft IIS 4 or 5, this article will
show you how to tighten perimeter security with automated
tracking and detection techniques. Source: 8 Wire (Jan
31, 2001)

Anatomy of an Intrusion
A great eye-opening article on Intrusions by Greg Shipley, Source: Network Computing's Security Workshop, (Oct 1999)

Computer
Crime Investigators ToolkitA 4 part series that devises a summary of basic,
practical knowledge, "tricks," if you like, that
should interest all computer crime investigators. While they
may not be the final word in preparing for an examination,
these techniques will provide some insight into the ways and
means of computer criminals. Source: EarthWeb

DDOS attacks' ultimate lesson: Secure that infrastructure
By following best of breed security practices, many an e-business could at the least minimize their downtime to 10-15
minutes instead of the 2-4 hour lapses that occurred in the February DDOS attacks on Amazon, Yahoo and e-Bay. Source EarthWeb
(Sept 14, 2000)

Fast Path to Intrusion Detection and Event Logging
Most network administrators will face a computer
security intrusion event sometime during their
careers. Having an intrusion detection plan will
result in earlier intrusion notification, minimize
the consequences, and allow a quicker recovery.
Microsoft provides several tools for intrusion
detection, including event logging. This document
will discuss intrusion detection and some of the
Microsoft tools that you can use as part of an
intrusion detection plan. Source: Microsoft Technet

HOW TO: Enable Local Security Auditing in Windows 2000
Microsoft Knowledge Base Article Q248260 - This article
describes how to enable local security auditing in Windows 2000.
Administrators of local computers can use this method to set up
local auditing of security access rights on individual Windows
2000-based computers.

HOW TO: Enable Active Directory Access Auditing in Windows 2000
Microsoft Knowledge Base Article Q314977 - This step-by-step
article describes how to enable Active Directory access auditing
in Windows 2000. The Active Directory should be audited to
assess when authorized and unauthorized access is attempted. You
can configure auditing of the Active Directory database. After
you enable auditing, you can view the audit information in the
Directory Service log that is located in the Event Viewer. Note
that this log is only present on computers that are acting as
Active Directory domain controllers. This article describes how
you can enable Active Directory for auditing access.

HOW TO: Monitor for Unauthorized User Access in Windows 2000
Microsoft Knowledge Base Article Q300958 - This article describes how to monitor your system for unauthorized user access. There are two main steps: Enabling security auditing and viewing the security logs.
Note that different systems have different security needs, and
the security topic is complex. Any user who sets up security
audits on your system must be assigned to administrative groups
or be given security rights and privileges.

Immediate
intrusion detection: Catching hackers red-handed on your web
server!This white paper focuses on how administrators can set
up their web servers successfully and safely. Describing the
tools used by hackers to gain backdoor access to your IIS web
servers, this paper details the necessary steps to detect
successful intrusions on your network, as well as explaining how
to prevent such attacks to your web server. Source: GFI.com

Intrusion Detection Take 2
A second look at intrusion-detection systems shows that a combination of network-based and host-based technologies is a promising strategy. But is it ready to safeguard your network?
Source: Network Computing (Nov 1999)

Log-based
intrusion-detection and -analysis in Windows 2000/NTThis white paper demonstrates that the audit and
reporting facilities in Microsoft Windows NT and Microsoft
Windows 2000, although a good foundation, fall far short of
fulfilling real-life business needs. Therefore, the need exists
for a log-based intrusion-detection and -analysis tools. Source:
GFI.com

Personal Firewalls/Intrusion Detection
The complexity of PC operating systems, applications and browsers has contributed to continual discovery of security weaknesses (which the typical user cannot be expected to follow or understand). Until now the standard tool for defending Windows was the Anti-Virus scanner, but this
is no longer enough - the Personal Firewall has made its debut and should soon become an essential tool for Windows users connected to hostile networks. Source: Security Portal (July 17, 2000)

Preventing
and Detecting Insider Attacks Using IDS
Insider attacks pose unique challenges for security
administrators. This article will examine some ways
in which intrusion detection systems can be used to
help prevent and detect insider attacks. Source: SecurityFocus.com

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is
affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be
directed to the appropriate manufacturer or vendor.